Security in a Distributed Nas Terminations Architecture

Embodiments of the present disclosure generally relate to wireless communication, and more particularly, to methods and apparatuses for security in a distributed NAS terminations architecture.

In 5G System Architecture, as defined in 3GPP TS23.501, a non-access stratum (NAS) connection for a user equipment (UE) is always terminated in the serving network at a single network function (NF), e.g. access and mobility management function (AMF), as shown in. The NAS connection is integrity and confidentiality protected by means of a security procedure that is executed between the UE and the NF which establishes a NAS security context that is maintained by both the UE and the NF for the lifetime of the NAS connection. This NAS security context includes, among other parameters, the security keys and algorithms used to protect the NAS connection.

In a distributed NAS terminations architecture on the other hand, a UE may have multiple NAS connections which are terminated in the serving network at multiple different NFs. That is, the NAS connections are distributed across different NFs depending on NAS procedures that the NAS connections are supporting, as shown in. As an example, the UE may have two NAS connections terminated at two different NFs, one NAS connection carrying NAS mobility management procedure and being terminated at NF1, and the other NAS connection carrying NAS session management procedure and being terminated at NF2.

This summary is provided to introduce simplified concepts of subnetwork configuration and procedures to enable subnetwork operations, particularly on subnetwork identities. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

According to a first aspect of the disclosure, there is provided a terminal device. The terminal device comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the terminal device at least to: generate an anchor key; receive an anchor key identifier for the anchor key; derive a set of NAS parent keys based on the anchor key, a subscription identifier and NAS indicators indicating different NAS procedures; and obtain, for each of the set of NAS parent keys, a NAS parent key identifier.

According to a second aspect of the disclosure, there is provided a network entity configured to implement security key management function (SKMF). The network entity comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the network entity at least to: generate an anchor key with a terminal device; derive an anchor key identifier for the anchor key, and send the anchor key identifier to the terminal device; derive a set of NAS parent keys based on the anchor key, a subscription identifier and NAS indicators indicating different NAS procedures; and derive, for each of the set of NAS parent keys, a NAS parent key identifier based on the respective NAS indicator.

According to a third aspect of the disclosure, there is provided a core network entity configured to implement a core network function. The core network entity comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the network entity at least to: receive from a terminal device a request for establishment of a NAS connection carrying a NAS procedure between the terminal device and the core network entity; and obtain a NAS key for the NAS connection, wherein the NAS key is a NAS parent key or a NAS child key associated with a NAS indicator indicating the NAS procedure.

According to a fourth aspect of the disclosure, there is provided a method performed by a terminal device. The method comprises: generating an anchor key; receiving an anchor key identifier for the anchor key; deriving a set of non-access stratum, NAS, parent keys based on the anchor key, a subscription identifier and NAS indicators indicating different NAS procedures; and obtaining, for each of the set of NAS parent keys, a NAS parent key identifier.

According to a fifth aspect of the present disclosure, there is provided a method performed by a network entity configured to implement security key management function (SKMF). The method comprises: generating an anchor key with a terminal device; deriving an anchor key identifier for the anchor key, and sending the anchor key identifier to the terminal device; deriving a set of non-access stratum, NAS, parent keys based on the anchor key, a subscription identifier and NAS indicators indicating different NAS procedures; and deriving, for each of the set of NAS parent keys, a NAS parent key identifier based on the respective NAS indicator.

According to a sixth aspect of the present disclosure, there is provided a method performed by a core network entity configured to implement a core network function. The method comprises: receiving from a terminal device a request for establishment of a NAS connection carrying a NAS procedure between the terminal device and the core network entity; and obtaining a NAS key for the NAS connection, wherein the NAS key is a NAS parent key or a NAS child key associated with a NAS indicator indicating the NAS procedure.

According to a seventh aspect of the present disclosure, there is provided a terminal device. The terminal device comprises means for performing steps of any method according to the fourth aspect.

According to an eighth aspect of the present disclosure, there is provided a network entity configured to implement security key management function (SKMF). The network entity comprises means for performing steps of any method according to the fifth aspect.

According to a ninth aspect of the present disclosure, there is provided a core network entity configured to implement a core network function. The core network entity comprises means for performing steps of any method according to the sixth aspect.

According to a tenth aspect of the present disclosure, it is provided a computer readable storage medium, on which instructions are stored, when executed by at least one processor, the instructions cause the at least one processor to perform any method according to the fourth or fifth or sixth aspect.

According to an eleventh aspect of the present disclosure, it is provided a computer program product comprising instructions which when executed by at least one processor, cause the at least one processor to perform any method according to the fourth or fifth or sixth aspect.

It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.

Some example embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments are shown. Indeed, the example embodiments may take many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout.

In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.

References in the present disclosure to “one embodiment”, “an embodiment”, “an example embodiment”, and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “has”, “having”, “includes” and/or “including”, when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.

As used in this application, the term “circuitry” may refer to one or more or all of the following:

This definition of “circuitry” applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term “circuitry” also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term “circuitry” also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

As used herein, the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE), LTE-Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT), New Radio (NR) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, 5G, the future sixth generation (6G) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.

As used herein, the term “terminal device” refers to any end device that can access a communication network and receive services therefrom. By way of example and not limitation, the terminal device may refer to a user equipment (UE) which may be a combination of a Universal Integrated Circuit Card (UICC)/Subscriber Identity Module (SIM) Card and a mobile equipment (ME), or other suitable devices. In the following description, the terms “terminal device”, “user equipment” and “UE” may be used interchangeably.

As used herein, the term “network entity” refers to any entity for supporting a network function in a communication network. The network entity can be implemented in a physical network node, or in a virtual network node which perform a function by logical resources in more than one physical network node.

As mentioned above, the 5G system architecture defines in 3GPP specifications (e.g. TS 23.501/23.502/24.501/33.501) how security is achieved for a single NAS connection between a UE and a single NF. However, no solution is defined to achieve security for multiple NAS connections of a distributed NAS terminations architecture.

Thus, various embodiments of the present disclosure describe a framework to secure the NAS connections of the distributed NAS terminations architecture. Specifically, the framework provides a mechanism for derivation and distribution of shared secret keys and associated key identifiers used to secure the NAS connections established between the UE and the terminating NFs.

Firstly, a key hierarchy for the distributed NAS termination architecture is described. To aid in the description, an analogy to a subset of the current 5G architecture key hierarchy is provided where the terms “anchor key” and “NAS parent key” are analogous to Kseaf and Kamf respectively. However, multiple NAS parent keys exist where Kamf can be considered as one NAS parent key. The NAS parent keys provide key separation for NAS connections carrying different NAS procedures such as NAS mobility management procedures, NAS session management procedures, NAS UE policy management procedures and so on.

illustrates an example of the key hierarchy for the distributed NAS terminations architecture (Option 1) according to some embodiments of the present disclosure, which includes a common anchor key and a common NAS parent key. Referring to, a single anchor key Ka is established by means of an authentication and key agreement (AKA) procedure, which is common to all NAS connections. This anchor key Ka is equivalent to Kseaf key in the current 5G architecture key hierarchy. A single NAS parent key Kp is derived from the common anchor key Ka which is common to all NAS connections. This approach requires a single AKA procedure run irrespective of the number of NAS connections.

Option 1 is closely aligned with the current 5G architecture key hierarchy, However, it has a number of drawbacks when it is applied to the distributed NAS terminations architecture: a) since the same NAS parent key Kp is used across different NAS connections, it can increase the attack surface and weaken NAS security especially with multiple NAS termination points; and b) the same NAS parent key Kp needs to be distributed to multiple NFs, which increases the attack surface compared to 5G and weakens NAS security.

illustrates another example of the key hierarchy for the distributed NAS terminations architecture (Option 2) according to some embodiments of the present disclosure, which includes a common anchor key Ka and multiple NAS parent keys, Kp1, Kp2 . . . Kpn. Referring to, an anchor key Ka is established by means of an AKA procedure, which is common to all NAS connections. This anchor key Ka is equivalent to Kseaf key in the current 5G architecture key hierarchy. Multiple NAS parent keys Kp1, Kp2 . . . Kpn are derived from this common anchor key Ka for each NAS connection. This approach requires a single AKA procedure run irrespective of the number of NAS connections.

illustrates yet another example of the key hierarchy for the distributed NAS terminations architecture (Option 3) according to some embodiments of the present disclosure, which includes multiple anchor keys and multiple NAS parent keys. Referring to, multiple anchor keys Ka1, Ka2, . . . Kan are established by means of an AKA procedure, one for each NAS connection. These anchor keys Ka1, Ka2, . . . Kan are equivalent to multiple unique Kseaf keys derived from a Kausf key in the current 5G architecture key hierarchy. A NAS parent key is derived from each anchor key for each NAS connection. As shown in, the NAS parent key Kp1 is derived from the anchor key Ka1, the NAS parent key Kp2 is derived from the anchor key Ka2, and the NAS parent key Kpn is derived from the anchor key Kan. This approach requires an AKA procedure run for each NAS connection.

Option 2 and Option 3 propose to use multiple NAS parent keys which provide unique shared secrets keys per NAS connection, and hence offer better NAS security compared to Option 1 which has the common NAS parent key for all NAS connections.

Option 3 may be considered to offer the most robust security in that each NAS connection has its own anchor key and NAS parent key derived from an AKA run. However, Option 3 requires the AKA procedure to run and signal with the home network each time a new NAS connection is established, which can hinder performance of the NAS procedures. Furthermore, it also brings impacts to the home network NF (e.g. authentication function (AUSF), unified data management (UDM), unified data repository (UDR)) as well as the UE (e.g. universal integrated circuit card (UICC), mobile equipment (ME)) to derive, store and manage multiple anchor keys.

Option 2 also supports multiple NAS parent keys, but due to the common anchor key it requires only a single AKA procedure for multiple NAS connections and does not have any impact on the home network NF (e.g. AUSF, UDM, UDR). As such, Option 2 is considered as the most optimal key hierarchy for the distributed NAS terminations architecture and will be elaborated later. Moreover, the following description will be described in the context of Option 2, and will also be applicable to Option 3.

illustrates still another example of the key hierarchy for the distributed NAS terminations architecture according to some embodiments of the present disclosure, in which a NAS child key is proposed in addition to the common anchor key Ka and multiple NAS parent keys e.g. Kp1, Kp2. While the NAS parent keys provide key separation for NAS connections carrying different NAS procedures, the NAS child keys provide key separation for NAS connections carrying the same NAS procedure, for instance NAS session management procedures. A UE may have two NAS protocol data unit (PDU) sessions, and hence have two NAS connections belonging to different network slices each slice having different security requirements. As shown in, the NAS child keys Kc2-1 and Kc2-2 are derived from the NAS parent key Kp2 for the two NAS connections. The NAS child keys provide key separation between these two NAS connections. Note that, the NAS child key applies predominantly to NAS session management procedures, but its use is not precluded for other NAS procedures.

is an exemplary call flow for securing multiple NAS connections according to some embodiments of the present disclosure, which depicts a scenario where a UE is registered in a network and subsequently establishes two different NAS connections, one carrying NAS session management procedures and another carrying NAS UE policy management procedures. In this example, the call flow involves the UE, two core NFs, NF1 and NF2, and security key management function (SKMF) which is analogous to security anchor function (SEAF) in 5G.

At step, the primary AKA procedure is executed which establishes in both the UE and the SKMF an anchor key and a set of NAS parent keys.

At step, the UE requests establishment of NAS Connection #1 by sending a NAS connection request #1 message, for instance an initial NAS Session Management (SM) Request, which is routed to NF1. Since NF1 does not have a valid security context for NAS Connection #1, it requests a key from the SKMF e.g. by sending a key request.

At step, based on information provided in the key request from NF1, the SKMF may either select an already derived NAS parent key specific to NAS SM procedures or alternatively derive a NAS child key from the selected NAS parent key, and returns the NAS parent key or the NAS child key to NF1 e.g. in a key response.

At step, NF1 uses the received key to further derive NAS integrity and encryption keys to be used with selected NAS integrity and encryption algorithms to secure NAS Connection #1. NF1 sends a NAS security mode command message towards the UE.

At step, based on the NAS security mode command message received from NF1, the UE may either select an already derived NAS parent key specific to NAS SM procedures or alternatively derive a NAS child key from the selected NAS parent key, and use the NAS parent key or the NAS child key to further derive NAS integrity and encryption keys as derived at NF1. The UE populates the complete NAS connection request #1 message into a NAS security mode complete message, secures the NAS security mode complete message with the NAS integrity and encryption keys and sends the encrypted and integrity protected NAS security mode complete message to NF1.

At step, NF1 uses its NAS integrity and encryption keys to perform security checks on the received NAS security mode complete message, extracts the complete NAS connection request #1 message, processes it and returns a NAS connection response #1 to the UE. At this point, a security context is established between the UE and NF1 for NAS Connection #1 using the derived NAS integrity and encryption keys and the selected NAS integrity and encryption algorithms.

At step, the UE requests establishment of NAS Connection #2 by sending NAS connection request #2 message, for instance an initial NAS UE Policy Request, which is routed to NF2. Since NF2 does not have a valid security context for this NAS connection, it requests a key from the SKMF by sending a key request to the SKMF.

At step, based on information provided in the key request from NF2, the SKMF may either select an already derived NAS parent key specific to NAS UE policy management procedures or alternatively derive a NAS child key from the selected NAS parent key, and returns the NAS parent key or the NAS child key to NF2.

At step, NF2 uses the received key to further derive NAS integrity and encryption keys to be used with selected NAS integrity and encryption algorithms to secure the NAS Connection #2. NF2 sends a NAS security mode command message towards the UE.

At step, based on the NAS security mode command message received from NF2, the UE may either select an already derived NAS parent key specific to NAS UE policy management procedures or alternatively derive a NAS child key from the selected NAS parent key, and use the NAS parent key or the NAS child key to further derive NAS integrity and encryption keys as derived at NF2. The UE populates the complete NAS connection request #2 message into a NAS security mode complete message, secures the NAS security mode complete message with the NAS integrity and encryption keys and sends the encrypted and integrity protected NAS security mode complete message to NF2.

At step, NF2 uses its NAS integrity and encryption keys to perform security checks on the received NAS security mode complete message, extracts the complete NAS connection request #2 message, processes it and returns a NAS connection response #2 to the UE. At this point, a security context is established between the UE and NF2 for NAS Connection #2 using the derived NAS integrity and encryption keys and the selected NAS integrity and encryption algorithms.

Subsequent NAS message exchanges related to NAS Connection #1 and NAS Connection #2 are protected by their respective security contexts which survive idle-connected mode transition and hence avoid the need to rerun the NAS security mode command procedures.